Following on from some earlier work on OpenBSD's "hardened" malloc, in 2007/2008 I spent some time reverse engineering Windows Vista's much vaunted heap implementation. I found several way to write a heap exploit that targetted heap structures instead of application chunks, and ended up doing a Blackhat presentation about this in 2008:

Attacking the Vista Heap

Given that it's almost universally easier to find some useful application specific memory to overflow, the question I most often receive about this presentation is: so, uh, has anyone ever written an exploit using these techniques?

...

Philistines!

- hawkes@inertiawar.com (@benhawkes)